How Secure is your Bulk SMS Gateway?

In an earlier post, we wrote about questions to ask your bulk SMS campaign provider. A bulk SMS campaign, albeit an effective channel for communicating with your customers, is not the only use of A2P SMS. A2P SMS can be generally classified into two categories; campaigns or transactional. The campaigns category includes all types of bulk SMS campaigns like marketing or advertising campaigns, promotional campaigns, awareness campaigns, and so on. Campaigns are typically sent to masses. Transactional SMS are used when a specific event is triggered, for example a banking customer makes a credit card transaction. Transactional SMS are specific to an individual.

OTTs like Whatsapp, Viber, WeChat, and Facebook use transactional SMS for authentication and identity verification (these are called OTPs or One-Time Passwords).

Transactional SMS are most commonly used by the financial industry to send banking and financial transaction alerts, account change notifications, bill payment advice, incoming or outgoing transfer acknowledgements, online banking password changes and so on. Because transactional SMS are individual in nature and carry sensitive or personal information about the recipient, SMS gateway security becomes a top priority

Does Security Matter to your Bulk SMS Provider?

When selecting an SMS provider for your transactional SMS, ask about their security practices. SMS Gateway security is a big deal; there are so many different layers that must be secured between the recipient’s handset and enterprise application, let’s look at some of these layers.

General SMS Gateway Security Practices

Before we discuss specific layers of security, there are some general security principles, created specifically for the Financial industry. These principles are governed by a security standard called PCI/DSS (Payment Card Industry Data Security Standard). Generally, you need to know if your SMS provider adopts the standards of PCI/DSS.

The Application Layer

First, there’s the application sending the SMS, how secure is the application? How vulnerable is the code to attacks? What level of security testing was performed on the application layer? Are there strict password rules in place? Do passwords expire? Is SSL or TLS used with a valid certificate? Is transmitted data encrypted? Is your sensitive customer data vulnerable, for example, does your SMS provider store sent SMS? How secure is this archive? In the case of an attack, is your customer data (like credit card and bank account numbers) compromised? Does your SMS gateway use multi-factor or two-factor authentication (2FA) for login.

The Content Layer

Now let’s take a look at the content of the SMS, what level of protection does your SMS provider offer you against say, the fraudulent use of your trademark? Will it allow anyone else to send SMS using your brand or company name? Are you protected? A simple feature like a warning when your account balance reaches a preset amount could send you an early warning sign that your account was compromised. Does your SMS provider use IP address whitelisting to further secure your account and data.

The Interface Layer

SMS providers typically offer multiple interfaces and integration options to their SMS gateway, these include SMPP, HTTP/S, XML, SOAP, and APIs. With all these interfaces come several potential security risks. Are the various interfaces protected by whitelisting IP addresses? What is the validity period of your API tokens.

The Network Layer

On the network and data center layer, you should look at things like servers, where does your SMS gateway reside on the internet? How secure is your SMS gateway data center? What level of protection does your SMS gateway offer against unauthorized access (physical or virtual), Denial of Service attacks, hardware failure, spoofing, and most importantly the human element of hackers.